Windows: Named service user for puppet agent

asked 2015-08-04 14:18:15 -0600

helge

updated 2015-08-04 14:20:47 -0600


I am trying to get puppet agent service to work in windows. Using LocalSystem as account user works; but I need puppet agent service to be run under a named account for our windows AD.

I used the installer to specify the Domain Account name; the installer grants Logon as service rights and adds the user to the local BUILTIN\Administrators group - so far so good.

However, the agent is always run with non elevated privileges it seems; it tries to create the directory $::system32/.puppet and does not have the permissions to do so.

Question: How do I best run Puppet Agent as service when I need network drive permissions for many of my manifests?


  • Windows 6.3 (2012r2 / 8.1)
  • OS Puppet 3.8.1
1 Answer

answered 2015-08-05 03:19:41 -0600

GlennSarti

Have you tried a few tests to ensure that it really is UAC that's blocking you?

  1. Logon as the service account locally. Open a NON-ADMIN command prompt and do a Puppet apply (noop) (Should Fail)
  2. Logon as the service account locally. Open an ADMIN command prompt and do a Puppet apply (noop) (Should work)

If it is UAC you could create a Group Policy Object (or possibly even a local GPO) with the UAC settings set to 'No Prompt' and try it. I personally haven't tried this but may work.

Good luck!


Thanks Glenn, I tried this prior to posting here and even with an admin shell it puppet runs unprivileged. However, using the defauld domain admin accound sems to work for some reason; though my puppet account is dom admin, too. I'll stick with this for now and report back later

helge ( 2015-08-06 09:10:29 -0600 )

